GHSA-CM35-V4VP-5XVX Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
Summary Open WebUI v0.6.33 and below contains a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event SSE execute events. This leads to authentication token theft, comple...